For a while now, I was looking for a good encrypted XMPP client, something that will support PGP for example.
I even considered developing one myself, But then I’ve found out about Psi.

Psi is a simple to use open-source XMPP client, that has PGP integrated into it. It works with GTalk (Google Chat) and Facebook. All you need to do is install it, generate your key (if you don’t have one already) and add your friends public key.

The software can function as normal XMPP client as well, Meaning if your friend doesn’t have it, you can discuss in plain-text mode. If you will send him an encrypted message, he will see an error message indicating that the message is encrypted: “[ERROR: This message is encrypted, and you are unable to decrypt it.]”.

Well, I didn’t believe I will write another post in the subject so quick. But a bit after publishing my last post (reminder read this post first), I’ve went and changed my password to a random keystrokes. The interesting thing was, that my original password kept working! At first I thought that maybe I had a mistake and that I didn’t changed the password but then I tried to login with the same random keystrokes and it worked as well.

Apparently, You can’t change your password, you can just add a new one. So if someone hacked your account, there is no way to lock him out.

Great security… just great….

Update: It seems like my old password doesn’t work anymore. It seems like It just worked for a few long minuets. I’ve tried reseting the password again while being logged in from another computer. It did not logged the other user out. It seems like I can keep the session forever.

Oh, And another cool thing, You can send 5 free text messages from the website, meaning you can impersonate the user and send messages that will seem to the receiver like the victim sent it.

Today I’ve received a phone call from Cellcom regarding my previous post. On the other side of the line was a customer relations representative. I’ve tried to explain to her that saving a password in plain-text is not legitimate, and that showing it to everyone with access to my phone is even less legitimate.

The representative tried to persuade me that the israeli ministry of communications made them show the login information. I told her that I don’t buy it and that it is violating the first rule of security. She told me that she will send my post to the team that handles the website, so I asked her to keep me notified and that the team will contact me, but she refused.

I don’t believe that they will change it anytime soon (Maybe if a Saudian hacker will find a way to exploit it and publish all the information in their database…)

I recommend that the password you use for Cellcom’s website won’t be the same password you use for your email etc, because anyone with access to their database can access it as well as anyone with access to your phone.